Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page

Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page

Briefly

"Click Studios, the developer of enterprise-focused password management solution Passwordstate, said it has released security updates to address an authentication bypass vulnerability in its software. The issue, which is yet to be assigned a CVE identifier, has been addressed in Passwordstate 9.9 (Build 9972), released August 28, 2025. The Australian company said it fixed a "potential Authentication Bypass when using a carefully crafted URL against the core Passwordstate Products' Emergency Access page.""

"The safeguards are likely in response to findings from security researcher Marek Tóth, who, earlier this month, detailed a technique called Document Object Model (DOM)-based extension clickjacking that several password manager browser add-ons have been found vulnerable to. "A single click anywhere on an attacker-controlled website could allow attackers to steal users' data (credit card details, personal data, login credentials, including TOTP)," Tóth said. "The new technique is general and can be applied to other types of extensions.""

"According to Click Studios, the credential manager is used by 29,000 customers and 370,000 security and IT professionals, spanning global enterprises, government agencies, financial institutions, and Fortune 500 companies. The disclosure comes over four years after the company suffered a supply chain breach that enabled attackers to hijack the software's update mechanism in order to drop malware capable of harvesting sensitive information from compromised systems."